Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Thomas, On Fri, Mar 17, 2023 at 05:37:54PM +, Jonathan Wiltshire wrote: > Control: tag -1 moreinfo > > On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > > I have prepared an update for Ceph in Bullseye to address > > CVE-2022-3650 (ie: ceph to root privilege escalation). > > The security team already told me that there will be no DSA. > > Your upload doesn't match the debdiff on this bug (see > https://release.debian.org/proposed-updates/bullseye_diffs/ceph_14.2.21-1+deb11u1.debdiff). > Is that intentional or did something go wrong? Have you seen the question from Jonathan? Right now it was not accepted, respectively hold back, see https://release.debian.org/proposed-updates/stable.html and thus will miss the next point release. Regards, Salvatore
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Control: tag -1 moreinfo On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. Your upload doesn't match the debdiff on this bug (see https://release.debian.org/proposed-updates/bullseye_diffs/ceph_14.2.21-1+deb11u1.debdiff). Is that intentional or did something go wrong? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Processing control commands: > tag -1 moreinfo Bug #1026078 [release.debian.org] bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650 Added tag(s) moreinfo. -- 1026078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026078 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Processing control commands: > tag -1 confirmed Bug #1026078 [release.debian.org] bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650 Added tag(s) confirmed. -- 1026078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026078 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Control: tag -1 confirmed On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. Please go ahead with the distribution label fixed. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Hi Thomas, On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. > > [ Reason ] > (Explain what the reason for the (old-)stable update is. I.e. > what is the bug, when was it introduced, is this a regression > with respect to the previous (old-)stable.) > > [ Impact ] > Anyone logged as Ceph can become root whenever there's a disk > event without the attached patch. > > [ Tests ] > Upstream runs functional test suite, and I trust it. > > [ Risks ] > The code is quite trivial and easy to backport (python code). > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The Python code checks input better and avoid privilege escalation. > See attached debdiff, it's quite readable. > > Cheers, > > Thomas Goirand (zigo) > diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog > --- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.0 +0200 > +++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.0 +0100 > @@ -1,3 +1,10 @@ > +ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium > + > + * CVE-2022-3650: privilege escalation from the ceph user to root. Applied > +upstream patches (Closes: #1024932). For the upload via bullseye-pu the target distribution needs to be changed as well to 'bullseye'. Regards, Salvatore
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hi, I have prepared an update for Ceph in Bullseye to address CVE-2022-3650 (ie: ceph to root privilege escalation). The security team already told me that there will be no DSA. [ Reason ] (Explain what the reason for the (old-)stable update is. I.e. what is the bug, when was it introduced, is this a regression with respect to the previous (old-)stable.) [ Impact ] Anyone logged as Ceph can become root whenever there's a disk event without the attached patch. [ Tests ] Upstream runs functional test suite, and I trust it. [ Risks ] The code is quite trivial and easy to backport (python code). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The Python code checks input better and avoid privilege escalation. See attached debdiff, it's quite readable. Cheers, Thomas Goirand (zigo) diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog --- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.0 +0200 +++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.0 +0100 @@ -1,3 +1,10 @@ +ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium + + * CVE-2022-3650: privilege escalation from the ceph user to root. Applied +upstream patches (Closes: #1024932). + + -- Thomas Goirand Wed, 30 Nov 2022 14:20:19 +0100 + ceph (14.2.21-1) unstable; urgency=high * New upstream release, resolving these: diff -Nru ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch --- ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch 1970-01-01 01:00:00.0 +0100 +++ ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch 2022-11-30 14:20:19.0 +0100 @@ -0,0 +1,61 @@ +Description: CVE-2022-3650: ceph-crash: drop privleges to run as "ceph" user, rather than root + If privileges cannot be dropped, log an error and exit. This commit + also catches and logs exceptions when scraping the crash path, without + which ceph-crash would just exit if it encountered an error. +Author: Tim Serong +Date: Wed, 2 Nov 2022 14:27:47 +1100 +Bug: https://tracker.ceph.com/issues/57967 +Signed-off-by: Tim Serong +Origin: upstream, https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382 +Bug-Debian: https://bugs.debian.org/1024932 +Last-Update: 2022-11-28 + +--- ceph-14.2.21.orig/src/ceph-crash.in ceph-14.2.21/src/ceph-crash.in +@@ -3,8 +3,10 @@ + # vim: ts=4 sw=4 smarttab expandtab + + import argparse ++import grp + import logging + import os ++import pwd + import socket + import subprocess + import sys +@@ -76,7 +78,23 @@ def scrape_path(path): + ) + + ++def drop_privs(): ++if os.getuid() == 0: ++try: ++ceph_uid = pwd.getpwnam("ceph").pw_uid ++ceph_gid = grp.getgrnam("ceph").gr_gid ++os.setgroups([]) ++os.setgid(ceph_gid) ++os.setuid(ceph_uid) ++except Exception as e: ++log.error(f"Unable to drop privileges: {e}") ++sys.exit(1) ++ ++ + def main(): ++# run as unprivileged ceph user ++drop_privs() ++ + args = parse_args() + postdir = os.path.join(args.path, 'posted') + if args.name: +@@ -88,7 +106,10 @@ def main(): + + log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0)) + while True: +-scrape_path(args.path) ++try: ++scrape_path(args.path) ++except Exception as e: ++log.error(f"Error scraping {args.path}: {e}") + if args.delay == 0: + sys.exit(0) + time.sleep(args.delay * 60) diff -Nru ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch --- ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch 1970-01-01 01:00:00.0 +0100 +++ ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch 2022-11-30 14:20:19.0 +0100 @@ -0,0 +1,24 @@ +Description: CVE-2022-3650: ceph-crash: fix stderr handling + Popen.communicate() returns a tuple (stdout, stderr), and stderr + will be of type bytes, hence the need to decode it before checking + if it's an empty string or not. +Author: Tim Serong +Date: Wed, 2 Nov 2022 14:23:20 +1100 +Bug: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e +Signed-off-by: Tim Serong +Bug-Debian: https://bugs.debian.org/1024932